Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 980353 - there will be AVC denial in audit.log when jenkins build is finished
Summary: there will be AVC denial in audit.log when jenkins build is finished
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 1.2.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: Brenton Leanhardt
QA Contact: libra bugs
URL:
Whiteboard:
Depends On: 1016057
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-02 07:12 UTC by Gaoyun Pei
Modified: 2017-03-08 17:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1016057 (view as bug list)
Environment:
Last Closed: 2013-12-16 09:10:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Gaoyun Pei 2013-07-02 07:12:23 UTC
Description of problem:
In the end of jenkins build, it would generate avc denial in audit.log on node.

Version-Release number of selected component (if applicable):
http://download.lab.bos.redhat.com/rel-eng/OpenShiftEnterprise/1.2/2013-06-26.3/
selinux-policy-targeted-3.7.19-195.el6_4.10.noarch
selinux-policy-3.7.19-195.el6_4.10.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a php app and jenkins app, embed jenkins-client to php app

2. Make some changes in the php app git repo to trigger jenkins build

3. Monitoring the audit.log on the node, avc denial would be generated once the build action completed as "SUCCESS"
[root@node1 ~]# tailf /var/log/audit/audit.log |grep avc

type=AVC msg=audit(1372654405.272:100925): avc:  denied  { getattr } for  pid=29079 comm="java" path="/proc/mtrr" dev=proc ino=4026531957 scontext=unconfined_u:system_r:openshift_t:s0:c1,c382 tcontext=system_u:object_r:mtrr_device_t:s0 tclass=file

Actual results:

Expected results:
No such message in the log

Additional info:

Comment 2 Brenton Leanhardt 2013-09-11 15:53:09 UTC
Miroslav,

Would it be possible to allow processes running in Gears to read MTRR info?

require {
        type mtrr_device_t;
        type openshift_t;
        class file getattr;
}

#============= openshift_t ==============
allow openshift_t mtrr_device_t:file getattr;

This is fairly low severity for now so it could wait until RHEL 6.5.

Comment 3 Miroslav Grepl 2013-09-30 12:51:41 UTC
Are you getting more AVC msgs in permissive mode?

Comment 4 Brenton Leanhardt 2013-09-30 18:37:20 UTC
There are no additional AVC messages in permissive mode.

Comment 5 Miroslav Grepl 2013-10-07 12:04:43 UTC
Could you open a new rhel6.5 bug?

Comment 7 Gaoyun Pei 2013-11-18 07:44:45 UTC
verify this bug on puddle: 2.0/2013-11-15.1
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch


In the end of jenkins build, it would NOT generate avc denial in audit.log on node


Note You need to log in before you can comment on or make changes to this bug.